malwarewikiaorg-20200223-history
Buran
Buran is a ransomware that runs on Microsoft Windows. It appends an extension (.3674AD9F-5958-4F2A-5CB7-F0F56A8885EA) of numerous random letters and numbers. As of right now, it uses OilRig's exploit kit. It is part of the VegaLocker family. It is named after a spacecraft of the same name . It is aimed at English-speaking users. Payload Transmission Buran is spread through spam emails and email attachments. Infection When the RIG exploit kit drops the ransomware executable onto a victim's machine and executes it, the ransomware will copy itself to %APPDATA%\microsoft\windows\ctfmon.exe and launch it from there. It does not appear to delete shadow volume copies, disable the Windows automatic startup repair, or clear event logs, but rather goes straight to the encryption process. When encrypting files, the ransomware will skip all files that have certain extensions, reside under certain folders, or have certain file names. The list of excluded extensions are: .cmd, .com, .cpl, .dll, .msc, .msp, .pif, .scr, .sys, .log, .exe, .buran The list of excluded folders are: \windows media player\ \apple computer\safari\ \windows photo viewer\ \windows portable devices\ \windows security\ \embedded lockdown manager\ \reference assemblies\ :\windows.old\ :\inetpub\logs\ :\$recycle.bin\ :\$windows.~bt\ \application data\ \google\chrome\ \mozilla firefox\ \opera software\ \tor browser\ \common files\ \internet explorer\ \windows defender\ \windows mail\ \windows nt\ \windowspowershell\ \windows journal\ \windows sidebar\ \package cache\ \microsoft help\ :\recycler :\windows\ c:\windows\ :\intel\ :\nvidia\ \all users\ \appdata\ \boot\ \google\ \mozilla\ \opera\ \msbuild\ \microsoft\ The list of excluded files are: !!! your files are encrypted !!!.txt boot.ini bootfont.bin bootsect.bak defender.exe desktop.ini iconcache.db ntdetect.com ntuser.dat.log unlocker.exe master.exe master.dat ntldr ntuser.dat ntuser.ini temp.txt thumbs.db unlock.exe When encrypting files, the ransomware will append the victim's unique ID as an extension to the encrypted file. For example, if a victim has an ID of 173C0FE5-3871-B991-E67D-24FEBA3FC981, then a file named 4.jpg would be encrypted and renamed to 4.jpg.173C0FE5-3871-B991-E67D-24FEBA3FC981. Each of this variant's encrypted files can be identified by the Buran file marker prepended to the beginning of the file. During the encryption process, the ransomware will also write what appears to be the public and private encryption keys to the Registry key HKEY_CURRENT_USER\Software\Buran. The ransomware will also create ransom notes named !!! your files are encrypted !!!.txt throughout the system. These ransom notes contain the email addresses polssh1@protonmail.com and polssh@protonmail.com, which can be used to contact the attackers for payment instructions. These ransom notes will also contain a unique ID associated with the victim. The ransom note saids the following: !!! YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email polssh1@protonmail.com and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email polssh1@protonmail.com polssh@protonmail.com Your personal ID: 173C0FE5-3871-B991-E67D-24FEBA3FC981 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. Category:Ransomware Category:Win32 ransomware Category:Win32 Category:Microsoft Windows Category:Trojan Category:Win32 trojan